Gatford demonstrated that the login process (usernames and passwords) was encrypted with secure socket layer (SSL). But once logged in over public Wi-Fi, documents and text in a default Gmail, Yahoo! or Hotmail account were transmitted in a way that someone with wireless sniffing tools such as Wireshark, Hamster or Ferret could easily intercept, he said.

Soghoian said that webmail services had a strong incentive not to force SSL because "using and processing SSL transactions consumes vastly more processing power than regular transactions ... so providing users [full-time SSL] protection costs money".

Spokesmen for Yahoo!, Microsoft and Google told iTnews that their webmail login pages were secured with HTTPS and indicated they were "currently looking into" making it the default setting.

But several expressed concern that blanket implementation would result in a slow or unreliable user experience.

In a shot across the bows of Yahoo! and Microsoft, Google said "no other major webmail provider offers free, always-on HTTPS, and most don't provide any support for HTTPS at all".

Google said it "strives to provide a high level of security to our users" and "enables users to access a number of applications including Gmail, Docs and Calendar via HTTPS".

"Google Apps administrators also have the option to enforce HTTPS across an entire domain," the spokesman said

Yahoo! said it "takes online security seriously and take steps to safeguard user information".

"[We have] offered SSL and other password encryption methods for many years [and] rolled out SSL as our standard Web login approach across the Yahoo! network to deliver industry-standard encryption [but only for the login process]," a spokesman said.

A Microsoft spokesman said it offered encryption via SSL as an "option at log-in" and that "HTTPS is not necessarily a panacea ... other vectors need equal attention [so] we are investing in comprehensive solutions such as stronger credentials and protection against cookie replay attacks".

All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.Your use of this website
constitutes acceptance of nextmedia's Privacy Policy and
Terms & Conditions.